A corrected version of Corollary 2 following Theorem 2 was posted in 'A Note on the Bivariate Coppersmith Theorem' by Jean-Sébastien Coron et al and so I assume Theorem 2 is OK. However it does not state anything about Theorem 3. Relevant link is https://link.springer.com/content/pdf/10.1007%2Fs00145-012-9121-x.pdf. Do we know if theorem 3 in 'Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities' by Don Coppersmith is also valid?

In the conference version https://nymity.ch/anomalous-tor-keys/pdf/Coppersmith1996a.pdf in theorem $3$ he has a result where root bounds depend on individual degree ($\delta$ is $x$-degree and $\tau$ is $y$-degree) rather than total degree. It does not look like this version appears in journal version in introduction in this post. Is this version of the theorem correct? Is there references appearing beyond this conference publication?

1 Answer
1

I was asked to comment here, but this question seems more relevant to the cryptography stackexchange. A move might be appropriate?

Anyway, there are three issues here.

I believe that the same argument as the one we presented in our Note on the Bivariate Coppersmith Theorem applies to Theorem 3 as well, but I haven't carried out the full computation. Since the exact same approach should work, it should not be difficult to adapt the proof to be sure.

The remark after Theorem 3 in the journal version of Coppersmith's paper addresses the issue of distinct degrees in $x$ and $y$ (without proof, but it's not a difficult exercise to do it).

The more important point is that the minor issue with exhaustive search is not what Peikert refers to regarding the lack of a rigorous bivariate version of Coppersmith. What's needed for the Boneh–Durfee small exponent attack on RSA is a version of Coppersmith's theorem both in two variables and modulo $N$, and we do not know how to get that rigorously.

The issue is that Coppersmith's lattice reduction technique does provably give linearly independent polynomials that vanish at the roots we want, but to actually recover them, we need the polynomials to be algebraically independent, and this algebraic independence condition is hard to establish. In actual practical attacks, it seems to be satisfied essentially all the time, so cryptanalysts are usually happy to heuristically assume the condition is satisfied. However, one can also find cases when the heuristic fails, so there has been some work to try and obtain algorithms with completely rigorous proofs, with limited success so far.

An extended discussion of this problem can be found in Aurélie Bauer's Ph.D. thesis, Vers une généralisation rigoureuse des méthodes
de Coppersmith pour la recherche de petites racines de pôlynomes (UVSQ, 2008). One of the results of the thesis is a rigorous version of Coppersmith in 3 variables over the integers, which is close to, but unfortunately not quite, what one needs for Boneh–Durfee.